Search This Blog

Monday, April 15, 2013

On RHEL in FIPS Mode

Went to an excellent talk by Steve Grubb of Red Hat that went over some of the particulars of the security systems in Red Hat Enterprise Linux. This talk really collected together a lot of the information that I had been searching for. I guess it is a fairly niche market that is searching for auditing capabilities, FIPS mode, and the like, so information was fairly thin until his talk. You can find his slides here.
For me the most important information at the moment is the FIPS 140-2 mode for RHEL 5 platforms. I was aware there were efforts to make this happen, you can use the fipscheck program to verify select binary integrity on start up, OpenSSH was being built with a FIPS mode, and so on, but the slide on page 40 gave me the main command to bring this all together.
  • mkinitrd –with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
  • Add “fips=1” to grub kernel boot line
  • Reboot
Now two caveats that I know of so far: in order for fipscheck to work, prelinking must be disabled, otherwise the hashes will change every time prelinking is re-run (which happens nightly). So in order to disable prelinking on a system do the following:
  • Edit /etc/sysconfing/prelink and set ‘PRELINKING=no’
  • Execute ‘sudo prelink -ua’ to remove relinking, or just wait until the nightly prelinking is run and everything is cleaned up.
As well /boot has to be a separate partition on your system.
There is now a Red Hat Knowledge base article up that describes this process, sadly you have to be logged in now to see Red Hat knowledge base articles.

1 comment:

  1. An impressive share! I have just forwarded this onto a colleague who had been conducting a little research on this.
    And he actually bought me dinner simply because I discovered it
    for him... lol. So let me reword this.... Thanks for the meal!

    ! But yeah, thanks for spending the time to discuss this topic here on your website.


    Also visit my blog: web Design ideas

    ReplyDelete